Protection of state data in computer system code

ABSTRACT

Method and system are provided for protecting state data of computer system code. The computer system code may be operating system code, subsystem code or application code and the item of state data is not expected to change within the execution of the computer system code. The method includes: creating or modifying an item of state data having a field value and being stored in memory for access by computer system code; registering an item of state data for protection; preserving the field value of the item of state data in a form inaccessible to third party software; validating the field value of the item of state data by comparing a current field value with the preserved field value to determine if the field value has been modified; and, if the field value has been modified, taking appropriate action.

BACKGROUND

The present invention relates to the protection of state data incomputer system code, and more specifically, to preventing third partysoftware modifying state data.

Items of state data are provided for computer system code and the itemsof data are intended to remain static in system code after they arepopulated at startup or during runtime.

It is a common practice for software vendors and original equipmentmanufacturer (OEM) suppliers to modify the state data used by operatingsystem subsystems. This allows vendor code to be invoked in place of the“official” code provided by the subsystem.

SUMMARY

According to an embodiment of the present invention there is provided acomputer-implemented method for protecting state data of computer systemcode, comprising: creating or modifying an item of state data having afield value and being stored in memory for access by computer systemcode; registering an item of state data for protection; preserving thefield value of the item of state data in a form inaccessible to thirdparty software; validating the field value of the item of state data bycomparing a current field value with the preserved field value todetermine if the field value has been modified; and, if the field valuehas been modified, taking appropriate action.

According to a second aspect of the present invention there is provideda system for protecting state data of computer system code, comprising:a processor and a memory configured to provide computer programinstructions to the processor to execute the functions of thecomponents; a new data component for creating or modifying an item ofstate data having a field value and being stored in memory for access bycomputer system code; a registering component for registering an item ofstate data for protection; a data preservation component for preservingthe field value of the item of state data in a form inaccessible tothird party software; a validation component for validating the fieldvalue of the item of state data by comparing a current field value withthe preserved field value to determine if the field value has beenmodified; and an action component for, if the field value has beenmodified, taking appropriate action.

According to a third aspect of the present invention there is provided acomputer program product for protecting state data of computer systemcode, the computer program product comprising a computer readablestorage medium having program instructions embodied therewith, theprogram instructions executable by a processor to cause the processorto: generate (create or modify) an item of state data having a fieldvalue and being stored in memory for access by computer system code;register an item of state data for protection; preserve the field valueof the item of state data in a form inaccessible to third partysoftware; validate the field value of the item of state data bycomparing a current field value with the preserved field value todetermine if the field value has been modified; and, if the field valuehas been modified, take appropriate action.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter regarded as the invention is particularly pointed outand distinctly claimed in the concluding portion of the specification.The invention, both as to organization and method of operation, togetherwith objects, features, and advantages thereof, may best be understoodby reference to the following detailed description when read with theaccompanying drawings.

Preferred embodiments of the present invention will now be described, byway of example only, with reference to the following drawings in which:

FIG. 1 is a flow diagram of an example embodiment of a method inaccordance with the present invention;

FIGS. 2A and 2B are flow diagrams of a further example embodiment of amethod in accordance with the present invention;

FIG. 3 is a block diagram of an example embodiment of a system inaccordance with the present invention; and

FIG. 4 is a block diagram of an embodiment of a computer system in whichthe present invention may be implemented.

It will be appreciated that for simplicity and clarity of illustration,elements shown in the figures have not necessarily been drawn to scale.For example, the dimensions of some of the elements may be exaggeratedrelative to other elements for clarity. Further, where consideredappropriate, reference numbers may be repeated among the figures toindicate corresponding or analogous features.

DETAILED DESCRIPTION

The described method and system preserve items of state data that shouldremain static in system code after they are populated at startup orduring runtime. Validation may then be carried out to ensure that thecontents of the items of state data remain unchanged by performingperiodic inspections of the data values and comparing these to thepreserved items of state data. If modifications are detected, the methodand system may report on the changes, undo them if applicable, takeappropriate diagnostic action, and/or potentially terminate the systemto preserve integrity.

The implementation of this method and system assists in the protectionof a system's code from modification. Such modification may be by thirdparty software code, for example, to manage time functions or hookinginto and replacing addresses, or by viruses and malware.

Referring to FIG. 1, a flow diagram 100 shows an example embodiment ofthe described method.

At 101, the described method proposes that specific items of state dataof a computer system's code that are not expected to change within theexecution of the system be registered. Computer system code may beoperating system code, subsystem code, or application code. In thiscontext, references to “system code” or “a system's code” representcomputing environments such as operating systems, subsystems, orapplications.

At 102, the items of state data may be generated (created or populated)with field values. This may be carried out at initialization of thesystem code or during runtime. An example of an item of state data maybe a field in a data structure that addresses a particular computerprogram, or a control block that holds information about the computersystem. Another example may be a field that contains a hardcodedlimiting value of the number of times a particular operation may occur.

If an item of state data is being generated (e.g. created), then theregistration 101 may take place after the generation of the item ofstate data. However, if the item of state data is being changed withnewly populated field values during runtime, then the registration, orre-registration may take place later in the method.

At 103, the items of state data with their field values may be preservedin a manner inaccessible to third party software. This may be carriedout by taking a snapshot copy of the items of state data and recordingthe snapshot elsewhere in the system. In another embodiment, the itemsof state data may be preserved in an encrypted state.

At 104, validation of the items of state data may be carried outperiodically or when required by the system code. The validation maydetect if the field values of the items of state data have been modifiedwhen compared to the preserved values.

At 105, if the field values have been modified, a resultant action to betaken may be determined.

Original equipment manufacture (OEM) and vendor code referred to asthird party software is known to deliberately modify specific fieldswithin system storage (for example, address pointers) to improve theoperation of, or provide an advantage to, the third party software. Theoriginal system code may then not function correctly as the field valuesof the items of state data should not alter during the execution of thesystem. The described method preserves these values, validates theircontent at runtime (not during offline dump processing), and takesappropriate actions accordingly.

If a control block's data is preserved at the time it is instantiated,the system is able to validate that it had not been modified from thatpoint onwards. The preservation of the snapshot of how the controlblocks should look may be stored in a manner that prevents the copy frombeing changed by third party software or malware.

The preservation may be achieved by means of hardening the copy to someinaccessible, non-memory destination, such as a dedicated file ordataset which the system alone had access to, or which was unavailablefor access by other code unless specifically configured to do so by thesecurity administrator. Another alternative would be to encrypt orscramble the snapshot so that it could be maintained in memory but notbe easily updated by third party code to change it in line with thetarget control blocks.

The items of state data may include a wide range of possible forms; someexamples include: data structures, addresses, flags, limiting values,Boolean values, pointers, arrays, constant values, character strings,hash values, binary data, etc.

In one example, a vector control block such as the z/OS communicationsvector table (CVT), status indicators such as the CICS Common ServiceArea (CSA) and Task Control Area (TCA), etc. (z/OS and CICS are trademarks of International Business Machines Corporation) have many pointersto other control blocks and items of state data that are set up duringsystem or task startup and which persist as immutable values for theduration of the execution. These are vulnerable to being modified byvendor or OEM code packages to redirect runtime execution to third partycode. As the described method preserves the control block data at thetime it was instantiated, the system is able to validate that it had notbeen modified from that point onwards.

It is envisaged that the majority of the data of interest forpreservation would be established early on during the systeminitialization. As such, the snapshot of the data to a secured locationwould take place at that time. However, it is possible that state datamay be generated (created, or set up) during normal system execution,after initialization has completed. As such, the method may allow foritems of state data of interest to be established and registered as suchduring normal execution, as well as in system startup.

Having generated and preserved the snapshot of the valid control blockstate data and address, detection validation of the contents could beperformed in a number of ways. It could be driven every-so-often, aspart of a subsystem dispatch cycle for example, or as part of internaltrace recording or housekeeping operations. Alternatively, it could bevalidated as and when the fields themselves are referred to, before usedas a target for a branch (for addresses) or as input to a decision orcalculation (for state data). Another approach could be to validate thecontents on a time-sliced basis, irrespective of what function is beingexecuted at the time.

Once a change to state data of address fields within a control block isdetected, the method may perform one or more of several actions,dependent on what the change was. It would be necessary to determinewhat actions to take, contingent on whether some alterations may beexpected to take place (if say a particular piece of vendor or OEM codeis being used on the system and the operator is satisfied its behaviorof modifying fields is acceptable or not). This may require a referenceto a database of acceptable deviations from taking further action,established when installing the vendor code. Assuming such an acceptancedeviation is not in place, the method may perform one or more of severalactions listed below:

Alert the operator that the change had been detected. This may beimplementation-specific and may, for example, be achieved by: a consolemessage, screen message, alert being issued, exception trace event beingrecorded, memory dump being captured, monitoring data being generated,etc.;

Leave the modified state data as is, i.e. not attempt to undo thechange. This may be acceptable in certain cases; for example, where aknown vendor or OEM product made such modifications, and the operator ofthe system was aware of this and accepted it on their system;

Modify the data back to its original state from the snapshot informationheld by the system. This may be achieved by updating the entire controlblock, or done on a piecemeal basis for individual fields or addressesas they were detected as being changed; or

Terminate the system if such a detected modification was deemed invalidor represented a security breach or exposure.

Referring to FIGS. 2A and 2B, a more detailed flow diagram of an exampleembodiment of the described method is shown.

A system initialization 201 may be carried out. The system may be acomputer operating system or computer subsystem or application that runscode within the operating system.

State data may be generated (step 202) and may be registered (step 203)for monitoring. The field values of the state data may be preserved(step 204). As discussed above, this may be in one of various methodswhich makes the preserved state data inaccessible to third party code.

At 205 it may be determined if there is new data of interest. If so, themethod may loop to generate new state data (step 202).

If there is no new data of interest, it may then be determined ifvalidation is due (step 206). This may occur at various times includingperiodically, when state data is required, or at other times. Ifvalidation is not due, the method may carry on normal execution (step210) and check if there is new data of interest (step 205).

If validation is due (step 206), the data fields of the preserved statedata may be validated (step 207) by comparing their current values tothe preserved values. This may include accessing the preserved statedata from its stored location and decrypting it, if it has been storedin an encrypted form.

It may be determined (step 208) if the data has been modified. If it hasnot been modified, the method may carry on normal execution (step 210)and check if there is new data of interest (step 205).

If it has been modified (step 208), the method may optionally determineif it is an acceptable deviation (step 209) from the preserved statedata. In some embodiments, no deviation may be considered acceptable;however, in other embodiments, there may be some variation allowed. Ifthe deviation is acceptable, the method may carry on normal execution(step 210) and check if there is new data of interest (step 205). If thedeviation is not acceptable, or if no deviation is acceptable, themethod may determine (step 211) appropriate action to take. At thisstep, the flow diagram continues from FIG. 2A (step 221) to FIG. 2B(step 221).

Some appropriate actions that may be taken are shown in FIG. 2B. Adiagnostic message may be sent (step 222) and if this option is selecteda message may be issued (step 223).

An attempt at restoration (step 224) of the field values of the statedata may be carried out. If this is attempted, it may be determined(step 225) if the restoration is successful. If it is not successful, afailure may be reported (step 226).

It may be decided to terminate the system's execution (step 227). Ifthis is decided, the system may terminate (step 228). However, if it isnot decided to terminate the system's execution, the execution maycontinue (step 229) and the method may return (step 230) to step 210 ofFIG. 2A.

The implementation of this method assists in the protection of theexecution of the system. It avoids modification of the system's statedata by viruses or malware, or from unexpected changes from vendor orOEM code. This improves the overall security of the system as a resultby preventing changes to state information that could be detrimental tosystem stability and performance. The method may also help reduceproblems and problem investigation times by avoiding situations wheresuch changes lead to outages or system failures. In avoiding these, itwould be of assistance to maintaining customer satisfaction and helpingmaintain savings in support and service costs.

Third party code may target state data to provide the ability to managetime functions in a running system, and does this by modifying the savedentry point address of the official time management logic with a pointerto the third party product that handles time management instead. Thisallows the third party code to be driven when time-related operationsare to be performed.

Time management operations is one example where this behavior can beseen, but there are many others such as hooks into security code, intocode to perform system monitoring or statistics, into accessingdatabases and external resources, etc.

The practice of “hooking into” and replacing addresses and stateinformation like this can lead to many problems for customers. Forexample, it can introduce issues with reentrancy and thread safety. Theofficial code path may be written to reentrant standards and be able tobe executed in parallel under multiple threads of execution, whereas thehooked-in code may not. This results in undefined behavior, such asabends (abnormal ends), program checks, etc. These problems can lead tosystem outages and downtime for customers, and have to be investigatedby product support teams. There is a cost in terms of time and lostrevenue to the customer, and service costs to companies in having theirsupport organizations debug the problem. It can be the case thatdifferent members of the support teams end up diagnosing the sameunderlying problem at the same time, and not be aware of this due todiffering failure symptoms.

A means of identifying such behavior by vendor code is useful to assistcustomers in understanding what changes are being made to their systemby applying vendor code, and to assist support organizations inidentifying changes to official operating environments, which are oftenvery hard to spot. In addition, the potential to restrict or preventsuch changes is of use in certain customer environments.

Referring to FIG. 3, illustrates an example embodiment of the describedsystem. A monitored system 300 may include at least one processor 301, ahardware module, or a circuit for executing computer instructions.Memory 302 may be configured to provide computer instructions includingsystem code 303 to the at least one processor 301 to carry outfunctionality. Memory 302 may also include stored state data 304 forreferencing by the system code 303.

A data state protection system 310 may be provided for carrying out thefunctionality of the described method. The data state protection system310 may include at least one processor 321 for executing the functionsof the described components which may be software units executing on theat least one processor. Memory 322 may be configured to provide computerinstructions 323 to the at least one processor 321 to carry out thefunctionality of the components.

The data state protection system 310 may include the followingcomponents. A registration component 311 may be provided for registeringitems of state data 304 which are to be preserved and monitored forvalidity. A data preservation component 312 may be provided forpreserving field values of registered items of state data 304. This mayinclude storing a copy of the items of state data in a storage locationinaccessible to third party software and/or encrypting the preservedfield values. A new data component 313 may monitor for new items ofstate data of interest which may be required to be registered by theregistration component 311.

A validation component 314 may validate registered items of state dataat required times by comparing current field values with preserved fieldvalues of the item of state data. A modified data component 315 maydetermine if the field values have been modified and a deviationcomponent 316 may determine if the modification is within acceptable orprescribed limits. An action component 317 may be provided which may beactivated if an unacceptable modification to an item of state data isdetermined.

Referring now to FIG. 4, a schematic of an example of a system 400 inthe form of a computer system or server is shown.

A computer system or server 412 may be operational with numerous othergeneral purpose or special purpose computing system environments orconfigurations. Examples of well-known computing systems, environments,and/or configurations that may be suitable for use with computersystem/server 412 include, but are not limited to, personal computersystems, server computer systems, thin clients, thick clients, hand-heldor laptop devices, multiprocessor systems, microprocessor-based systems,set top boxes, programmable consumer electronics, network PCs,minicomputer systems, mainframe computer systems, and distributed cloudcomputing environments that include any of the above systems or devices,and the like.

Computer system/server 412 may be described in the general context ofcomputer system-executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Computer system/server 412 may be practiced in distributed cloudcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed cloud computing environment, program modules may be locatedin both local and remote computer system storage media including memorystorage devices.

In FIG. 4, a computer system/server 412 is shown in the form of ageneral-purpose computing device. The components of the computersystem/server 412 may include, but are not limited to, one or moreprocessors or processing units 416, a system memory 428, and a bus 418that couples various system components including system memory 428 toprocessing unit 416.

Bus 418 represents one or more of any of several types of busstructures, including a memory bus or memory controller, a peripheralbus, an accelerated graphics port, and a processor or local bus usingany of a variety of bus architectures. By way of example, and notlimitation, such architectures include Industry Standard Architecture(ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA)bus, Video Electronics Standards Association (VESA) local bus, andPeripheral Component Interconnects (PCI) bus.

Computer system/server 412 typically includes a variety of computersystem readable media. Such media may be any available media that isaccessible by computer system/server 412, and it includes both volatileand non-volatile media, removable and non-removable media.

System memory 428 can include computer system readable media in the formof volatile memory, such as random access memory (RAM) 430 and/or cachememory 432. Computer system/server 412 may further include otherremovable/non-removable, volatile/non-volatile computer system storagemedia. By way of example only, storage system 434 can be provided forreading from and writing to a non-removable, non-volatile magnetic media(not shown and typically called a “hard drive”). Although not shown, amagnetic disk drive for reading from and writing to a removable,non-volatile magnetic disk (e.g., a “floppy disk”), and an optical diskdrive for reading from or writing to a removable, non-volatile opticaldisk such as a CD-ROM, DVD-ROM or other optical media can be provided.In such instances, each can be connected to bus 418 by one or more datamedia interfaces. As will be further depicted and described below,system memory 428 may include at least one program product having a set(e.g., at least one) of program modules that are configured to carry outthe functions of embodiments of the invention.

Program/utility 440, having a set (at least one) of program modules 442,may be stored in memory 428 by way of example, and not limitation, aswell as an operating system, one or more application programs, otherprogram modules, and program data. Each of the operating system, one ormore application programs, other program modules, and program data orsome combination thereof, may include an implementation of a networkingenvironment. Program modules 442 generally carry out the functionsand/or methodologies of embodiments of the invention as describedherein.

Computer system/server 412 may also communicate with one or moreexternal devices 414 such as a keyboard, a pointing device, a display424, etc.; one or more devices that enable a user to interact withcomputer system/server 412; and/or any devices (e.g., network card,modem, etc.) that enable computer system/server 412 to communicate withone or more other computing devices. Such communication can occur viaInput/Output (I/O) interfaces 422. Still yet, computer system/server 412can communicate with one or more networks such as a local area network(LAN), a general wide area network (WAN), and/or a public network (e.g.,the Internet) via network adapter 420. As depicted, network adapter 420communicates with the other components of computer system/server 412 viabus 418. It should be understood that although not shown, other hardwareand/or software components could be used in conjunction with computersystem/server 412. Examples, include, but are not limited to: microcode,device drivers, redundant processing units, external disk drive arrays,RAID systems, tape drives, and data archival storage systems, etc.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

Improvements and modifications can be made to the foregoing withoutdeparting from the scope of the present invention.

What is claimed is:
 1. A computer-implemented method for protectingstate data of computer system code, comprising: generating an item ofstate data having a field value and being stored in memory for access bycomputer system code; registering the item of state data for protection,wherein registering the item of state data for protection is carried outat system runtime when an item of state data is modified; preserving thefield value of the item of state data in a form inaccessible to thirdparty software by taking a snapshot copy of the item of the state data,and wherein preserving the field value encrypts the field value beforestoring; validating the field value of the item of state data bycomparing a current field value with the preserved field value todetermine when the field value has been modified; and in response to thefield value being modified, initiating an action, the action includingone or more of: alerting an operator, keeping the modified field value,returning the field value back to the preserved field value, orterminating the system, wherein validating the field value is carriedout at one or more of the following times: periodically, as part of adispatch cycle, as part of internal trace recording, as a housekeepingoperation, when the fields are referred to.
 2. The method as claimed inclaim 1, wherein registering the item of state data for protection iscarried out at system initialization when the item of state data iscreated.
 3. The method as claimed in claim 1, wherein preserving thefield value hardens a copy of the field value to a non-memorydestination which the computer system code only has access to.
 4. Themethod as claimed in claim 1, wherein validating the field value appliesan acceptable deviation between a current field value and the preservedfield value.
 5. The method as claimed in claim 1, wherein preserving thefield value of the item of state data includes preserving multiple fieldvalues of multiple items of state data in a single preserving operation.6. The method as claimed in claim 1, wherein generating includesmodifying or creating, or both.
 7. A computer system for protectingstate data of computer system code, the computer system comprising: oneor more computer processors; one or more computer-readable storagemedia; program instructions stored on the computer-readable storagemedia for execution by at least one of the one or more processors, theprogram instructions comprising: instructions to generate an item ofstate data having a field value and being stored in memory for access bycomputer system code; instructions to register the item of state datafor protection, wherein registering the item of state data forprotection is carried out at system runtime when an item of state datais modified; instructions to preserve the field value of the item ofstate data in a form inaccessible to third party software by taking asnapshot copy of the item of the state data, and wherein preserving thefield value encrypts the field value before storing; instructions tovalidate the field value of the item of state data by comparing acurrent field value with the preserved field value to determine when thefield value has been modified; and in response to the field value beingmodified, instructions to initiate an action, the action including oneor more of: alerting an operator, keeping the modified field value,returning the field value back to the preserved field value, orterminating the system, wherein validating the field value is carriedout at one or more of the following times: periodically, as part of adispatch cycle, as part of internal trace recording, as a housekeepingoperation, when the fields are referred to.
 8. The system as claimed inclaim 7, wherein the instructions to register the item of state data forprotection is implemented at system initialization when the item ofstate data is created.
 9. The system as claimed in claim 7, wherein theinstructions to preserve the field values hardens a copy of the fieldvalue to a non-memory destination which the system computer code onlyhas access to.
 10. The system as claimed in claim 7, wherein theinstructions to validate the field values applies an acceptabledeviation between the current field value and the preserved field value.11. The system as claimed in claim 7, wherein the computer system codeis operating system code, subsystem code or application code and theitem of state data is not expected to change within the execution of thecomputer system code.
 12. The system as claimed in claim 7, whereingenerating includes modifying or creating, or both.
 13. A computerprogram product for protecting state data of computer system code,comprising a computer-readable storage medium having program codeembodied therewith, the program code executable by a processor of acomputer to perform a method comprising: generating an item of statedata having a field value and being stored in memory for access bycomputer system code; registering the item of state data for protection,wherein registering the item of state data for protection is carried outat system runtime when an item of state data is modified; preserving thefield value of the item of state data in a form inaccessible to thirdparty software by taking a snapshot copy of the item of the state data,and wherein preserving the field value encrypts the field value beforestoring; validating the field value of the item of state data bycomparing a current field value with the preserved field value todetermine when the field value has been modified; and in response to thefield value being modified, initiating an action, the action includingone or more of: alerting an operator, keeping the modified field value,returning the field value back to the preserved field value, orterminating the system, wherein validating the field value is carriedout at one or more of the following times: periodically, as part of adispatch cycle, as part of internal trace recording, as a housekeepingoperation, when the fields are referred to.